MICROSOFT SECURITY BLOG
Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID
MEDIUM Entra ID passkeys phishing-resistant authentication
Strategic summary
Starting September 1, 2026, Microsoft will make passkeys the default authentication method in Entra ID. Users currently on SMS or voice authentication will be automatically enabled for passkeys and prompted to register. Microsoft will retire its native telecom delivery for SMS and voice on February 1, 2027, after which organizations can use paid telecom partners. Companies like Joel Traber AG in manufacturing should urgently move to phishing-resistant methods.
Key findings
- Passkeys become the default in Microsoft Entra ID from September 2026, replacing SMS/voice.
- SMS and voice users will be automatically enabled for passkeys and prompted to register at their next multifactor authentication.
- Microsoft retires its own SMS/voice delivery on February 1, 2027, alternatives only via telecom partners at extra cost.
- AI-powered phishing campaigns achieve click rates up to 54%, heightening the need for phishing-resistant authentication.
- Migration to passkeys incurs no direct license costs but provides stronger protection against identity theft.
Relevance for you
Microsoft is making passkeys the default authentication method in Entra ID beginning September 1, 2026, to reduce phishing, SIM swapping, and MFA bypass attacks.
Risk score
0
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 0.00
- raw before weight
- 0.00
- industry weight
- 1.10
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational